Tutorial 2 - Network Defense Tools

1. CYBER SECURITY-TUTORIAL2
FROM: SWETA DARGAD
ASSISTANT PROFESSOR
NTC

2. NETWORK DEFENCE TOOLS
• 1. Explain what is a computer network .
• 2. Explain what is a firewall.
• 3. List types of firewalls and explain in breif.
• 4. Difference between Packet Filter and Firewall
• 5. Write difference between stateless and statefull firewall.
• 6. Explain what is NAT.
• 7. What is port forwarding.
• 8. Difference between windows firewall and linux firewall
• 9. What is Intrution detection system

3. WHAT IS A COMPUTER NETWORK
A computer network is a group of computer systems and other computing hardware devices that are linked together
through communication channels to facilitate communication and resource-sharing among a wide range of users.
1. Local Area Networks (LAN)
2. Personal Area Networks (PAN)
3. Home Area Networks (HAN)
4. Wide Area Networks (WAN)
5. Campus Networks
6. Metropolitan Area Networks (MAN)
7. Enterprise Private Networks
8. Internetworks
9. Backbone Networks (BBN)
10. Global Area Networks (GAN)
11. The Internet

5. NETWORKS ARE USED TO
1. Facilitate communication via email, video conferencing,
instant messaging, etc.
2. Enable multiple users to share a single hardware device
like a printer or scanner
3. Enable file sharing across the network
4. Allow for the sharing of software or operating programs
on remote systems
5. Make information easier to access and maintain among
network users

6. WHAT IS A FIREWALL
A firewall is software or hardware that checks information coming from the Internet or a network, and
then either blocks it or allows it to pass through to your computer, depending on your firewall settings.
 A choke point of control and monitoring
 Interconnects networks with differing trust
 Imposes restrictions on network services
 only authorized traffic is allowed
 Auditing and controlling access
 can implement alarms for abnormal behavior
 Itself immune to penetration
 Provides perimeter defence

7. FIREWALL

8. TYPES OF FIREWALLS
 Packet filtering
 Application gateways/Proxy Firewalls:
 Circuit gateways/ Network layer Firewalls
 Unified threat management

9. FIREWALLS – PACKET FILTERS

10. FIREWALLS – PACKET FILTERS
 Simplest of components
 Uses transport-layer information only
 IP Source Address, Destination Address
 Protocol/Next Header (TCP, UDP, ICMP, etc)
 TCP or UDP source & destination ports
 TCP Flags (SYN, ACK, FIN, RST, PSH, etc)
 ICMP message type
 Examples
 DNS uses port 53
 No incoming port 53 packets except known trusted servers

11. USAGE OF PACKET FILTERS
• Filtering with incoming or outgoing interfaces
• E.g., Ingress filtering of spoofed IP addresses
• Egress filtering
• Permits or denies certain services
• Requires intimate knowledge of TCP and UDP port utilization on a number of operating systems

12. Every ruleset is followed by an implicit rule
reading like this.
Example 1:
Suppose we want to allow inbound mail
(SMTP, port 25) but only to our gateway
machine. Also suppose that mail from some
particular site SPIGOT is to be blocked.

13. Solution 1:
Example 2:
Now suppose that we want to implement the
policy “any inside host can send mail to the
outside”.

14. Solution 2:
This solution allows calls to come from any
port on an inside machine, and will direct them
to port 25 on the outside. Simple enough…
So why is it wrong?

15.  The ACK signifies that the packet is part of an
ongoing conversation
 Packets without the ACK are connection
establishment messages, which we are only
permitting from internal hosts

16. SECURITY & PERFORMANCE OF PACKET FILTERS
 IP address spoofing
 Fake source address to be trusted
 Add filters on router to block
 Tiny fragment attacks
 Split TCP header info over several tiny packets
 Either discard or reassemble before check
 Degradation depends on number of rules applied at any point
 Order rules so that most common traffic is dealt with first
 Correctness is more important than speed

17. FIREWALLS – STATEFUL PACKET FILTERS
 Traditional packet filters do not examine higher layer context
 ie matching return packets with outgoing flow
 Stateful packet filters address this need
 They examine each IP packet in context
 Keep track of client-server sessions
 Check each packet validly belongs to one
 Hence are better able to detect bogus packets out of context

18. STATEFUL FILTERING

19. PROXY FIREWALLS
• A proxy firewall is a network security system that protects network resources by filtering messages at
the application layer. A proxy firewall may also be called an application firewall or gateway firewall.

20. FIREWALL GATEWAYS
 Firewall runs set of proxy programs
 Proxies filter incoming, outgoing packets
 All incoming traffic directed to firewall
 All outgoing traffic appears to come from firewall
 Policy embedded in proxy programs
 Two kinds of proxies
 Application-level gateways/proxies
 Tailored to http, ftp, smtp, etc.
 Circuit-level gateways/proxies
 Working on TCP level

21. FIREWALLS - APPLICATION LEVEL GATEWAY (OR
PROXY)

22. APPLICATION-LEVEL FILTERING
 Has full access to protocol
 user requests service from proxy
 proxy validates request as legal.
 then actions request and returns result to user
 Need separate proxies for each service
 E.g., SMTP (E-Mail)
 NNTP (Net news)
 DNS (Domain Name System)
 NTP (Network Time Protocol)
 custom services generally not supported

23. APP-LEVEL FIREWALL ARCHITECTURE
Daemon spawns proxy when communication detected …
Network Connection
Telnet
daemon
SMTP
daemon
FTP
daemon
Telnet
proxy
FTP
proxy SMTP
proxy

24. ENFORCE POLICY FOR SPECIFIC PROTOCOLS
• E.g., Virus scanning for SMTP
• Need to understand MIME, encoding, Zip archives

25. NETWORK LAYER FIREWALLS
In Figure 1, a network layer firewall called a ``screened host firewall'' is represented.
In a screened host firewall, access to and from a single host is controlled by means of a
router operating at a network layer. The single host is a bastion host; a highly-defended
and secured strong-point that (hopefully) can resist attacks.

26. In figure 2, a network layer firewall called a ``screened subnet firewall''
is represented. In a screened subnet firewall, access to and from a whole network is controlled by means
of a router operating at a network layer. It is similar to a screened host, except that it is, effectively, a
network of screened hosts.

27. APPLICATION LAYER FIREWALLS
 Application layer firewalls are hosts that run proxy servers, which permit no traffic directly between
networks, and they perform elaborate logging and examination of traffic passing through them.
 Since proxy applications are simply software running on the firewall, it is a good place to do logging
and access control.
 Application layer firewalls can be used as network address translators, since traffic goes in one side
and out the other after having passed through an application that effectively masks the origin of
the initiating connection.

28. DUAL-HOME GATEWAY
In figure 3, an application layer firewall called a ``dual homed gateway'' is represented.
A dual homed gateway is a highly secured host that runs proxy software. It has two network interfaces,
one on each network, and blocks all traffic passing through it.

29. FIREWALLS AREN’T PERFECT?
• Useless against attacks from the inside
• Evildoer exists on inside
• Malicious code is executed on an internal machine
• Organizations with greater insider threat
• Banks and Military
• Protection must exist at each layer
• Assess risks of threats at every layer
• Cannot protect against transfer of all virus infected programs or files
• because of huge range of O/S & file types

30. UNIFIED THREAT MANAGEMENT
Unified Threat Management (UTM) is an all-in-one network security solution.
UTM provides multiple security features (firewalling, intrusion prevention, anti-virus, etc.)
without the complexity that comes with managing multiple security vendors.

31. PACKET FILTER
 packet filtering is the process of passing or
blocking packets at a network interface based
on source and destination addresses, ports,
or protocols.
 The process is used in conjunction with
packet mangling and Network Address
Translation (NAT).
 Packet filtering is often part of a firewall
program for protecting a local network from
unwanted intrusion.
FIREWALL
 packet filtering is the process of passing or
blocking packets at a network interface based
on source and destination addresses, ports,
or protocols.
 The process is used in conjunction with
packet mangling and Network Address
Translation (NAT).
 Packet filtering is often part of a firewall
program for protecting a local network from
unwanted intrusion.

32. NETWORK ADDRESS TRANSLATION
• RFC-1631
• A short term solution to the problem of the
depletion of IP addresses
• Long term solution is IP v6 (or whatever is finally
agreed on)
• CIDR (Classless InterDomain Routing ) is a possible
short term solution
• NAT is another
• NAT is a way to conserve IP addresses
• Hide a number of hosts behind a single IP address
• Use:
• 10.0.0.0-10.255.255.255,
• 172.16.0.0-172.32.255.255 or
• 192.168.0.0-192.168.255.255 for local networks

33. Network Address Translation (NAT) is a way to map an entire network (or networks) to a single IP
address. NAT is necessary when the number of IP addresses assigned to you by your Internet
Service Provider is less than the total number of computers that you wish to provide Internet
access for.

34. PORT FORWARDING
port forwarding or port mapping is an application of network address
translation (NAT) that redirects a communication request from one address and
port number combination to another while the packets are traversing a network
gateway, such as a router or firewall.
1. Local port forwarding
2. Remote port forwarding
3. Dynamic port forwarding

36. HACKING THROUGH NAT
 Static Translation
 offers no protection of internal hosts
 Internal Host Seduction
 internals go to the hacker
 e-mail attachments – Trojan Horse virus’
 peer-to-peer connections
 hacker run porn and gambling sites
 solution = application level proxies
 State Table Timeout Problem
 hacker could hijack a stale connection before it is timed out
 very low probability but smart hacker could do it
 Source Routing through NAT
 if the hacker knows an internal address they can source route a packet to that
host
 solution is to not allow source routed packets through the firewall

37. TYPES OF FIREWALLS
1. Network layer firewalls:
Network layer firewalls generally make their decisions based on the source address, destination
address and ports in individual IP packets
2. Application layer firewalls:
Application layer firewalls are hosts that run proxy servers, which permit no traffic directly between
networks, and they perform elaborate logging and examination of traffic passing through them.
3. Proxy firewalls
Proxy firewalls offer more security than other types of firewalls, but at the expense of speed and
functionality, as they can limit which applications the network supports.
4. Unified threat management
A new category of network security products -- called unified threat management (UTM) -- promises
integration, convenience and protection from pretty much every threat out there

38. INTRUTION DETECTION SYSTEM
An intrusion detection system (IDS) is a device or software application that monitors
network or system activities for malicious activities or policy violations and produces
reports to a management station.
1. Anomaly Detection
2. Signature Based Detection

39. ALERTS
• Burglar Alert/Alarm: A signal suggesting that a system has been or is being attacked.
• Detection Rate: The detection rate is defined as the number of intrusion instances detected by the system
(True Positive) divided by the total number of intrusion instances present in the test set.
• False Alarm Rate: defined as the number of 'normal' patterns classified as attacks (False Positive) divided by
the total number of 'normal' patterns.
• ALERT TYPE:-
• True Positive: : Attack - Alert
• False Positive: : No attack - Alert
• False Negative: : Attack - No Alert
• True Negative: : No attack - No Alert